Connect over SSH

Doing a password-less ssh connection from known to known machines, while asking for 2 factor authentication from unknown machines.

You can do both together or only do one and not the other.

First install a 2 Factor Authenticator like the one from LastPass

Configure for password-less authentication

Run the following commands on the local-machine. The first is needed only once. If the user is the same on both machines, you do not need to add the user.

ssh-copy-id user@remote-machine
ssh user@remote-machin@admin

You now are able to log in without a password. This is much safer than typing in a password.

Configuring 2FA

This is based on Debian 10.2. It should work on most deb based systems. If you edit the install part to your distro ones (e.g. zypper instead of apt) it should work.

Run the following on the machine where you want the 2FA to be active. This can be the local machine or the remote one after ssh Default settings are used.

su - (or sudo -i)
apt install libpam-google-authenticator libqrencode3
 echo "auth required" >> /etc/pam.d/sshd
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
service ssh restart
google-authenticator -tfD -w 17 -r 3 -R 30 -Q UTF8

Open the App on your phone and scan the QRcode from the terminal or the URL that is given. Now you need to restart the ssh server. As root or with root rights:

service sshd restart

You are now able to connect to a machine using ssh and no password from the machine and user that has a key. From any other machine, you will be asked for an authentication. Use your phone for that.

Extra things that you can do

In sshd_conf you can disallow the root to login with ” PermitRootLogin no” and allow only a specific user to login, with “AllowUsers user_name”.

You can copy the .google_authenticator on the remote_machine to other places where google authenticator is installed, so you need only one key.

Use the Authenticator for Amazon and other services as well for e.g. you website.